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(57) ABSTRACT 

A directory server including a supplier server, a consumer 
server in communication with the supplier server, a plurality 
of pluggable services that manage replication of data con- 
tained within the directory server from the supplier server to 
the consumer server, and a directory server mapping tree 
used to select a backend to handle a request. Replication of 
data is managed using the directory server mapping tree. 
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DIRECTORY SERVER MAPPING TREE 
BACKGROUND OF THE INVENTION 

[0001] Tnc most «-»^^££fo£S 
colter is the V-Hlf g^to™ from 
systems exist in tbe market place ^™ (Sun Micro sys- 
Sun Microsystems Inc., f p ^^ e X ^pertino, Calif, 
terns), MacOS from Apple Conju^inc, ^ ft ^ 

Windows® 95/98 ^^J^d^Tne combi- 
poration, ^ c °^f^S tanlware is referred to 
nation of an OS and ite "^^MoVto Ae popularity of 

herein as a ^^tSZrs^V^^ s P ecifi - 
me Internet, »^^£?S^ *2fa" with a 
cally designed for "^.^^ JpoMcation program 
sin ^e -\^ te "^ p ^^for one platform 
interfaces (APIs). Thus, a me adven t of the 

could not be run on another. H™ 6 ^! ^^ity and a 
Internet made cross-platform m6 

bro ader definition o a P«,^S(OS^rdw«e) 

Fernet and World Wide Web. ^ 

[0002] Effective P^^^wS^ 
requires me platform ^concept* be exten ^ ^ 

?» tfs^ ^nstn X^applicaUonprogrammers 
S^ta^t consistent environment. 
[0003] OTanet" E^nwce SoluUor^ a 

abling platform " £pt\U iSDP (») gives busi- 
Deployment S fcmA - 

♦ „f the ISDP (28) is iPlanet™ 
[0004] Ac*«jP— 

^S^S'^n ^aTcan handle more 
tocol (LDAP>*asea su Directory Server (iDS) 

5,000 queries per second ■ > intranet or 

provides a «ntrali^ du^ry ^ ^ ^ tenn 
Extranet while W^^g, oCftware, hard- 
«directoryserv.ce re ^^l rrnat ion and make the 
ware, and Jhatstme^nl ^ 

information available to users^i ne , more 

ally includes at least one ^^^^ ^ access 
^phrnuK^^oKatas.redm 

all information m a single, newom pro- 
Tne iDS provides. teiS-iD- c~ 

gramnnng prov i d es global directory ser- 

tained by the .DS- ^J*^" ^isprovidedto a wide variety 
vices, meaningmatmform^n^Fo^a ^ 

of applications. Until ^^Vbfle a proprietary 
bundled with a propriety _database^ ^ fe ^ 

database can be convenient if only °« J*P burden if the 
multiple databases become £2^, » a 

databases manage the same mf ormaUon . For P ^ 
network that supports three dtferem pp directory 
systems where ^"^Ke Rectory, me 
service, if a user changes password 


changes are not automatic^ ^^J^SSSE 

sr^tirr^nnei^. 

[000,] Tne ***~Z^j££ *A 

centralized repository of toct ary ^ ^ f 

application can ^"^^requfes a network-based 

upsJustasmeSjmpteMail m ^ ^ ^ 

Transfer Protocol 0*1 is in ^ fe defined as an on-the- 
ering documents. Technical y, * * ^ wer Trans- 

c^rfrS-y^or applications to request and 
manage directory information. ros 

not relational, and is OP^ ^ ^SStod. central 
scalabiUty. This directory becomes > "JV^ ^ pro - 
reposito? that contains ^^^iSnation fT all 
vides user, group, ^i^^l me directory can 

applicatioos on .^.^^^010^ managers with a 
bi used to P ro ^e jnformauonj^oio^ ^ & ^ 
list of all the hardware and software ^ 
spanning enterpnse M£ SSS^ "* "* * 
provides ^^^iations that have previously 
m6 integration of these d of crea ting an 

functioned as stand-alone ^"V^ me user needs to 

account for ^^£g£* for me user in the 
access, a single dirertory entry o{ & typK ^ 

LDAP directory. FIG. 2 snows * £ real-world 
Sctory with different — 'JSffi entry (90) 
objects. Rectory oflotauTcomponent (dc), an orga- 
with the attribute Mypo of d^mam ^ ^ rf 
^nal unitentry entry (94) wim the 

rational unit (ou), a server *w person entry (96) 

attribute type ^^^^ In^ entries are 
with the attribute type of user lu V"' ^ 
connected by the directory 


connectea vy ^ 

[0009] Understandm, ^^T^^t a 
discussion of an U3APp|0^ol. T^ U> ^ ^ 
message^rien^d P^^f^ds the message to the 
message containing a request an c M» a result, 

server. The server P^^^^et of LDAP messages, 
or results, back to the cUent as asenes ^o 
Referring to FIG. 3, when^ ( |o0) constructs 
the directory for a speaflc entry, me message to 
an LDAP search Xf^^^e LD AP server (102) 

message (step 108). 

[0010] LDAP^ompUant « --^^ed 
U nine basic P-^^SeloS is interrogation 
tgZSStZZ* J Smpare operators. 
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ttese Ration, ^JS'SSS 10 ^ 

of the directory. The LD AT !!d retrie ve individual direc- 
search the directory ^ -^IToperatioD exists. The 
tory entries. No separate UJAr re add, 

delete, ^'^^^3^^^ name of 
rename, operato^^N»a ^ ^ 

an entry in P^^Srt Tte third category is wlton- 

and abandon operators. 

[0011] Tb.W--P-- S * B ^£^ 

l to the directory WjKtSSi* are sent by the 
credentials. The DN ^a 5 " chec ks whether the cre- 
cUent to the directory. The servo m»c ^^als 

dentials are - ^ 

are correct, notes thaUhechenns au ^ re . au «henU- 
thc connection remains open ^ tQ tennina tc a 

cates. The unbind operaUon^ows a operation, the 
session. When the che °L^^ information associated 
server discards any "JTS^ "* outstaD ^ B 
with the client cormecUon, <e ^ cUent ^ mu s 

LDAP operations, ^ f ^^^on operation allows 

tion that corresponds to the message iu 

the LDAP protocol defines a tramew ations . 
operations to the protocol v» U>AP e * fa ^ 

^.STT STil'S*-^- needs as they 

describes one particular Jrait of an obj ^ ^ 

composed of an attribute values. FIG. 4 shows an 

exemplary entry (124) S °°Xve constraints that limit the 
values (122). Attributes mayhave consu^ A 

type and length the attribute types 

directory sctema places re^r.^ contained in the 

(120) that must be, or are allowed id 
entry (124). 


the backend mapped m the airecu* y 
that matches the search criteria. 

i in one aspect, the invention involves a 
[0016] In general w on f j^^- a directory server 
'method for selecting »**£2pK? providing a search 
mapping tree. The "f^^E/a search request by 
criteria by a client app»> "^^Sdung the directory 
the directory server »W *£jXei£ selecting the 
server 

backend mapped in tto dwe ^ * ^ directory server 
matches the search <£"*J?2Kd by the client appli- 
mapping tree ta^J- resembles the search 
cation, determming a node £J modifymg the 

criteria provided by the cWiJ without depen- 

directory server mappmg ttee from a W match 
dence on node «^^exac^Lh is not found, 
based on the search cntena.il 


SUMMARY OF INVENTION 


based on me ^ — "V. m6 mven tion involves an 
[0017] I^^.^Snd^usmH directory server 
apparatus for selecting a backend i^g^ providing 
mTpping tree. The apparatus ^rnpn^'ne 
aseLh criteria ^^^^Z^™,**** 

claims. 

BRIEF DESCRIPTION OF DRAWINGS 

T00191 FIG. 1 illustrates a block diagram of iPlanet™ 
KStSrvice Development Platform 

[0021] FIG. 3 illustrates the LDAr prouxw 
simple request. .kowina 
f0 022] FIG. 4 illustrates a directory entry showing 
attribute types and values. 

[0023] nG-Smustratesatypicalcomputerwithcompo. 
nents. 

[0024] FIG. 6 illustrates an default DIT- 
rmwfl FIG. 7 illustrates an example DIT. 

stored in different backends. 


i in one aspect, the invention involves a 
directory server. The directory K ber 
a consumer server m that manage rcpli- 

server, a plurality of iJW^f^Sory server from the 
cation of **«^^£«SSa directory server 
suppBerserverto^cons^er^ ^ & ^ 

^SoToSta^aged using the directory server 

method for selecting * ^cke^i^g a search 

mapping tree. The method co W** 0 ^ request by 
criteria by acheutapphcaUon,u^ung^ 
the directory server mappmg tree, scare & 


is stored in amercm — 

DETAILED DESCRIPTION 

tSTt^ » *c»«d 

on virtually any type w . f . shown in FIG. 5, a 
platform being used. For example, 
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typical computer (130) has a processor (132), memory 
(134), among others. The computer (130) has associated 
therewith input means such as a keyboard (136) and a mouse 
(138), although in an accessible environment these input 
means may take other forms. The computer (130) is also 
associated with an output device such as a display (140), 
which also may take a different form in a given accessible 
environment The computer (130) is connected via a con- 
nection means (142) to a wide area network (144), such as 
the Internet. 

[0031] A basic directory tree, also known as directory 
information tree (DIT), mirrors a tree model used by most 
file systems, with a tree root, or first entry, appearing at the 
top of a hierarchy. At installation, the iDS creates a default 
directory tree as show in FIG. 6. The default directory tree 
contains a root (160) (dc-root, dc-suffix) and two entries. A 
first entry is o-NetscapeRoot (162). The data contained by 
this subtree is used by the iPlanet™ Administration Server. 
The iPlanet™ Administration Server handles authentication, 
and all actions that cannot be performed through LDAP 
(such as starting or stopping). A second entry is cn=config 
(164). This subtree contains iDS configuration information. 

[0032] The initial directory tree contains one subtree 
reserved for the server itself and one subtree for iPlanet™ 
Adminis tration Server. All the iDS typically contain the 
cn=config data, but only one (the first server installed) 
contains the o=NetscapeRoot information. The default 
directory can be built upon to add any data relevant to a 
directory installation. 

[0033] A Directory Server Mapping Tree (DSMT) is a 
method and a tool for selecting a backend to handle a 
request A backend is a server, storage medium where data 
is stored in a retrievable fashion. A request is a query to a 
server to perform an LDAP operation. The LDAP operation 
may involve selecting multiple backends, requiring the 
DSMT to pick which backends to use. The DSMT is a 
mapping from subtrees in the DIT to backends. A node in the 
DSMT represents a subtree in the DIT. The node is stored as 
an entry in the DSMT as well as an entry in the DIT. 

[0034] Each entry in the DIT is searched for each search 
initiated by a client application. FIG. 7 illustrates an 
example DIT. A search of this example DIT involves com- 
paring every entry with the search DN to determine if a 
match is made. Here, the following entries may be compared 
during the search: o=NetscapeRoot (172), o= Airius.com 
(170), ou=marketing (174), ou=development (176), ou=test- 
ing (178), and ou=partners (180). The results arc then 
returned to the client application. 

[0035] FIG. 8 illustrates a typical example of how the 
DSMT stores the DIT into different backends. A backend is 
created for o-NetscapeRoot (192). Another is made for 
oWVirius.com (190). Another backend for ou-development, 
o=Airius.com (194). Another backend for ou«testing, 
o=Airi us.com (196). A final backend for this example DIT is 
made from ou^partners, ou=development, o= Airius.com 
(198). 

[0036] The DSMT is traversed for each LDAP operation 
the server performs. FIG. 9 illustrates the typical steps 
involved in searching a DIT using DSMT. A client applica- 
tion initiates a search request providing a search DM e.g., 
cn=John Doe, ou-testing, and o~Aixius.com (Step 100). The 


DMST proceeds to find which backend will handle the 
request (Step 101). The objective is to find the backend that 
most closely matches the search DN. The DMST first 
compares the parent level nodes with the search DN i.e., the 
DMST attempts to find a backend with o»Airius.com (Step 
102). If the parent level nodes do not match (Step 104) then 
the DMST continues to search for the parent level node with 
a matching DN. If the parent level nodes match the search 
DN (Step 104) then the DMST proceeds to search for child 
level nodes connected to the parent node that match the 
search DN i.e., the DMST looks for child level nodes with 
a DN of cn=John Doe, ou ^testing (step 106). If all child 
level nodes do not match (Step 108) then the DMST 
continues to search for a set of child level nodes that match 
the search DN. If all child level nodes match the search DN 
(Step 108) then the DMST proceeds to selected the backend 
containing the parent and child level nodes specified in the 
search DN to handle the request (Step 110). 

[0037] In one embodiments of the present invention if an 
exact match is not found that the closest match based on 
criteria specified by the client application or the DMST is 
selected to process the request. In one embodiment of the 
present invention the DMST determines the closest match 
by determining which of the backends contains the most 
number of matching parents and children. The backend with 
the most number of matching parents and children based on 
the search DN is selected to process the application. If two 
or more backends have the same number of matching 
parents and children then they are all returned to process the 
request 

[0038] FIG. 10 illustrates a flow process of the DSMT 
(156) returning several backends (162) to handle a request 
(154), though those skilled in the art will recognize that the 
number of backends is variable and the process may be 
modified accordingly. In this figure, the LDAP client (152) 
sends a request (154) to the DSMT (156). The DSMT (156) 
determines which node most closely resembles the request 
(154), and returns a list (158) of the backend(s) (162) to 
handle the request (154). In this case, several backends (162) 
to handle the request (154) are returned (158). A successive 
search (160) of the list (158) is then initiated by the LDAP 
client (152). A sum of the results (164) of the successive 
search (160) is returned to the LDAP client (152) to resolve 
the request (154). 

[0039] Each DSMT node has a state that is used to enable 
or disable a DSMT node. The state may also be used to 
specify that a referral must be sent, rather than performing 
the LDAP operation on the backend itself. A referral is an 
LDAP URL returned to the client when the server receives 
a request for an entry not belonging to the DIT. One state of 
a node is a backend state, where the node is enabled. Another 
state is a disabled state, where the node is disabled. A further 
state is a referral state, where a referral is sent back for any 
type of access. 

[0040] Another state is a referral on update state, where a 
referral is sent back for an update LDAP operation, except 
for a replication LDAP operation. 

[0041] Each node of the DSMT has an entry in the DIT 
under cn=mapping tree, cn=config, though those skilled in 
the art will recognize that these terms are variable, depend- 
ing on implementation. In order to be recognized as DSMT 
entries, the entry in the DIT uses a nsMappingTree object- 
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class, though again, those dulled in the art will recognize 
£TdS term isCablc, depending on implemen.at.on. 
r0042] The entries in the DIT that exist for the DSMT used 
in the previous example ate as follows: 

[0043] DN: cn="o= Airius.com", cn=mapping tree, 

cn=config 
[0044] objectclass: nsMappingTree 
[0045] nsslapd-backendAirius.com 
[0046] nsslapd-state: backend 
[0047] DN: cn-"ou-testing, o- Airius.com", 

cn-mapping tree, cn-config 
[0048] objectclass: nsMappingTree 
[0049] nsslapd-backend: testing 
[0050] nsslapd-parent-suffix: o-Airius.com 
[0051] nsslapd-state: backend 
r00521 A DSMT entry root DN cn-"ou-tesung, 
S com") is the same root DN for the subtree oHhe 
™tDN'3e with quotes around it, though other embodi- 

tntpresent^vention may »t 
or include demarcation other than quotes. The root DNot the 
Xee is a suffix for the backend the node pomts to. 
r«K31 A DSMT application programming interface (API) 
SJS modification of the DSMT from the server code or 
froTa %SL with no dependence on the node representa- 
tion. 

r 00541 Advantages of the present invention may inctade 

of a multiple backend environment. ™° DS ^T* £ 
server to easily determine which backends handle tbe 
T^Lt ^n anarch spans multiple > backends. Mtafr 
aUv because the nodes arc represented as entnes in tbe DTI 
as ImL in the DSMT, client applications maymampula* 
ute orr as needed. More information may also be added to 
me nodes to increase functionality, such as replacing a 
Winter to a backend with a referral when a backend needs 
£b7taken down for maintenance. Another advantage alto 
™t invention is that the node may also ^ any number 
ofjinters to a backend, allowing *e server to d^,ute 
requests in the same subtree over a number of backe^/To 
dTtermine which backend will be used to handle a request, 
aSTap^oaches may be implementod^One unplemen- 

tation is to have a plugin that ^"T^^S o 
use. In order to make that determination, fce phigm needs to 
provide a function to pick, using some bas*, the backend 
Cm a list of backends. The basis is determined by tbe entry 
oTme Ume of day, the type of LDAP operation, or any 
number of other information. A further advantage * that a 
nodTof the DSMT is an extensible object An extensWe 
ofe^ is one such that a plugin is able to attach information 
Xfform of attributes to the node. ^^when 
nrrmanent storage of information is needed. Another advan 
Ug™at refeTals may be sent back to the dient appUca- 
2 *7nTln other words, me DSMTneed no. ^hoose 

art will appreciate that the present invention may have 
further advantages. 


rnOSSl While the invention has been described with 
StoTnmited number of embodiments, those stalled m 
mc^Svmfbenefit of this disclosure, will app—ate that 
Sefemc«limentscan be devised which do no. fP*J*°™ 
me^operffte invention as disclosed herem Accordmgly^ 
the invention should be limited only by the 
attached claims. 


Wh&\is claimed is: 
/l A directory server comprising: 


a" supplier server; 
a consumer server in communication with the supplier 
server; 

a plurality of pluggable services that manage replication 
fiu conffi within the directory server from the 
supplier server to the consumer server; and 
a directory server mapping tree used to select a backend 

to handle a request; 
wherein replication of data is managed using the directory 

2 EX2ji£ of claim 1, wherein the director 
seiefmaP^ng^ee is traversed for each operaUon the 
consumer server performs. . 

3 The directory server of claim 1, wherein a node is 
deterr^ that most resembles the search catena provided 
by the client application. 

4 The method of claim 3, wherein the node has a stole 
enabling the directory server mapping tree. 

5. The method of claim 3, wherein the node has a state 
disabling the directory server mapping tree. 
Trh! .nethod of claim 3, wherein the node has an entry 
in the directory information tree. 

A^aSZ for selecting a backend using a directory 
Uerve'r mapping tree, comprising: 
^providing a search criteria by a client application; 
initiating a search request by the directory server mapping 
tree; 

searching the directory server mapping tree using the 

search criteria; and 
selecting the backend mapped in the directory server 
mapping tree that matches the search criteria. 

8. The method of claim 7, further comprising: 
traversing the directory server mapping tree for each 

request initiated by tbe client application. 

9. The method of claim 7, further comprising: 
determining a node that most resembles the search criteria 

provided by the chent application 

10 The method of claim 9, wherein the node has a stole 
enabling the directory server mapping tree. 

11 The method of claim 9, wherein the node has a state 
disabling the directory server mapping tree. 

"e method of claim 9, wherein the node has an entry 
in the directory information tree. 

13. The method of claim 7, further comprising: 
modifying the directory server mapping tree from a plugin 
without dependence on node representation. 
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